INCORPORATION BY REFERENCE TO ANY PRIORITY APPLICATIONS

[0001] This application claims the benefit of priority of U.S. Provisional Application No. 63/319172 titled “KEY GENERATION APPARATUS AND METHOD”, which was filed on March 11, 2022, the entire disclosure of which is incorporated herein by reference.

BACKGROUND

Technical Field

[0002] The present disclosure relates to methods and apparatus for generating quantum random numbers for generating data keys, more optionally for generating cryptographic keys, and yet more optionally for generating postquantum cryptographic keys.

Description of Related Art

[0003] Pseudo-random number generation algorithms are executable on classical computing devices (e.g., classical binary computing devices); such algorithms are capable of generating sequences of random numbers from a seed number, wherein data keys can be generated from the sequences of random numbers. However, such algorithms are in principle deterministic, such that the sequences of random numbers are potentially predictable to third parties given sufficiently powerful computing resources, and the data keys generated from the sequences of random numbers are therefore correspondingly predictable. In order to address such a vulnerability, it has been proposed to use classical stochastic processes for generating sequences of random numbers, wherein data keys can be generated from the sequences of random numbers. However, quantum phenomena are able to give rise to sequences of random numbers that are sufficiently entropic that data keys generated therefrom cannot be predicted, given substantially unlimited computing resource being available to a third party hacker; similar considerations pertain to keys used in various cryptosystems. As such, it is desirable to have data key generation systems that generate such keys using quantum phenomena.

SUMMARY

[0004] The present disclosure seeks to provide a hardware apparatus for generating certified random numbers using prepare-and-measure method where the certified random numbers are generated based on events whose quantum nature is associated with an energytype constraint satisfied by a light source. The certified random numbers may be used to generate postquantum cryptographic keys.

[0005] According to one aspect, an apparatus for generating a certified random number based at least in part on quantum events. The apparatus includes: a quantum device configured to generate the quantum events; a classical computing device in communication with the quantum device, the classical computing device comprising a control and processing system. The control and processing system includes a memory configured to store specific computer-executable instructions and a hardware processor in communication with the memory and configured to execute the specific computer-executable instructions to at least: generate a quantum random bit string using the quantum device; determine an entropy level of the quantum random bit string using a plurality of entropy witnesses; and in response to determining that the entropy level of the quantum random bit string is greater than an entropy level associated with an entropy witness of the plurality of entropy witnesses, use the quantum random bit string to generate the certified random number.

[0006] According to another aspect, a method of generating a certified random number based at least in part on quantum events includes: by a hardware processor of a control and processing system: using a quantum device configured to generate a quantum random bit string; determining an entropy level of the random bit string using a plurality of entropy witnesses; and in response to determining that the entropy level of the quantum random bit string is greater than an entropy level associated with an entropy witness of the plurality of entropy witnesses, generating the certified random number using the quantum random bit string.

[0007] According to another aspect, a method of calibrating and certifying a light source for usage in a quantum device for generating quantum random bit strings, the light source comprising a photon source and an optical link, wherein the optical link transmits at least a portion of light generated by the photon source to a photodetector, the method comprising: measuring the portion of light received by the photodetector while controlling the photon source with a first trigger signal using the photodetector, to determine a quantum state of the portion of light received by the photodetector with respect to an energy-type constrain. The method further includes in response to determining that the portion of light received by the photodetector does not satisfy the energy-type constraint, adjusting the optical link to attenuate the portion of light received by the photodetector; measuring the attenuated portion of light received by the photodetector while controlling the photon source with a second trigger signal using the photodetector, to determine a quantum state of the attenuated portion of light receive by the photodetector with respect to the energy-type constraint; and in response to determining that the portion or the attenuated portion of received by the photodetector or satisfies the energy-type constraint, certifying the light source for usage in the quantum device.

[0009] According to another aspect, an apparatus for generating a certified quantum random number in an operational mode and a seed random number in a kick-off mode includes: a quantum device configured to generate the quantum events; a classical computing device in communication with the quantum device. The classical computing device includes a control and processing system configured to: use the quantum device to generate a first and a second quantum random bit string; generate the seed random number using the first and the second quantum random bit strings; use the quantum device to generate a third quantum random bit string; and generate the certified random number using the third quantum random bit string and the seed random number.

[0010] According to another aspect, a method of generating a certified quantum random number in an operational mode and a seed random number in a kick-off mode, the method includes, by a control and processing system: generating a first and a second quantum random bit string using a quantum device; generating the seed random number using the first and the second quantum random bit strings; generating a third quantum random bit string using the quantum device; and generating the certified random number using the third quantum random bit string and the seed random number.

[0011] According to another aspect, a non-transitory computer-readable storage medium comprising specific computer-readable instructions executable on data processing hardware, wherein the specific computer-readable instructions, when executed the data processing hardware, implement any the method methods described in the above aspects.

[0012] According to another aspect, there is provided an apparatus for generating certified random numbers (e.g., data keys), wherein the apparatus is a self-contained hardware unit configured to operate substantially at room temperature, wherein the apparatus includes a quantum random number generator including a quantum device to generate a quantum random bit stream, a randomness extractor (e.g., a seeded extractor) to generate a random number using the quantum random bit stream.

[0013] Certain embodiments can provide an advantage in that the apparatus is susceptible to being implemented as a compact hardware item that is self-contained and is capable, when in use, of delivering high volumes of data keys of exceptionally high entropy.

[0014] Optionally, the data keys include encryption keys. More optionally, the data keys include postquantum cryptographic keys.

[0015] Optionally, in the apparatus, the quantum random number generator is implemented using a laser to generate photons, an optical arrangement to couple at least a portion of the photons from the laser to a detector arrangement, and a processing arrangement to process a signal from the detector arrangement, wherein the optical arrangement is configured with the detector arrangement to create conditions for single photon quantum events in a spatial or temporal regime, wherein the detector arrangement is configured to detect the events, and the processing arrangement is configured to apply a statistical test to verify that the events are truly quantum events. More optionally, in the apparatus, the statistical test includes determining an entropy level or minimum entropy level of a quantum random bit stream using one or more entropy witnesses, although other types of statistical tests can alternatively or additionally be used.

[0016] Optionally, in the apparatus, the laser is implemented as a mode-locked selfpulsing laser.

[0017] Optionally, in the apparatus, the laser is a solid state laser, a fiber laser, or a semiconductor laser.

[0018] Optionally, in the apparatus, the laser is configured to operate in a pulsed mode. [0019] Optionally, in the apparatus, the laser is configured to operate in a selftriggering mode.

[0020] Optionally, in the apparatus, the laser may be externally triggered to generate a pulse train.

[0021] Optionally, in the apparatus, the extractor is implemented as a Dodis extractor.

[0022] Optionally, the apparatus includes a monitoring arrangement in a data interface and control unit that is configured to monitor operating conditions of the apparatus to determine whether an entropy witness can be used to guarantee that the entropy level of a quantum random bit string (QRBS) generated using the quantum device of the apparatus exceeds a required degree of entropy for the QRBS to be used (e.g., for generating the data keys).

[0023] Optionally, the apparatus is configured to switch from an operating phase when generating random numbers to a “quick off’ phase, wherein the quantum device is used to generate a seed for use in a seeded extractor during another operating phase.

[0024] Optionally, in the apparatus, data processing required for the apparatus to function when in use is implemented using at least one FPGA.

[0025] Optionally, the apparatus is implemented using hardware that can be contained within a volume of less than 1000 cm ³ .

[0026] Optionally, the apparatus is configured to dissipate less than 10 Watts when in operation.

[0027] According to another aspect, there is provided a method for (namely, a method of) using an apparatus to generate data keys, wherein the apparatus (10) is a self- contained hardware unit configured to operate at substantially room temperature, wherein the method includes:

(a) configuring the apparatus to include a quantum random number generator including a quantum device to generate a quantum random bit stream;

(b) using an extractor (e.g., a seeded extractor) to generate a random number using the quantum random bit string received from the quantum device, and (c) using a control and processing system to control and monitor operation of the apparatus and to process the output of the extractor to generate the random numbers.

[0028] Optionally, the apparatus uses the random numbers to generate data keys. The data keys can be cryptographic keys. More optionally, the data keys are postquantum cryptographic keys.

[0029] Optionally, the method includes:

(i) implementing the quantum random number generator using a laser to generate photons;

(ii) using an optical arrangement to couple the photons from the laser to a detector arrangement;

(iii) using a processing arrangement to process a signal from the detector arrangement, wherein the optical arrangement is configured with the detector arrangement to create conditions for measuring single photon detection quantum events in a spatial or temporal regime;

(iv) using the detector arrangement to detect the events;

(v) using the events to generate a quantum random bit string; and

(vi) using the processing arrangement to apply a statistical test based on an entropy witness to verify that an entropy of the quantum random bit string is larger than a minimum entropy associated with the entropy witness.

[0030] According to another, there is provided a software product recorded on a machine readable data storage medium, wherein the software product is executable on data processing hardware for implementing the method of the second aspect.

[0031] Additional aspects, advantages, features and objects of the present disclosure would be made apparent from the drawings and the detailed description of the illustrative embodiments construed in conjunction with the appended claims that follow.

[0032] It will be appreciated that features of the present disclosure are susceptible to being combined in various combinations without departing from the scope of the present disclosure as defined by the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS

[0033] Embodiments of the present disclosure will now be described, by way of example only, with reference to diagrams of the present disclosure, wherein:

[0034] FIG. 1 is an illustration of an embodiment of a random number generating apparatus according to the present disclosure.

[0035] FIG. 2A and 2B are schematic illustrations of optical arrangements that are useable to implement a quantum random number generator of the apparatus of FIG. 1; and

[0036] FIG. 3 is a schematic diagram of an active vibration damping arrangement for a quantum device of the apparatus of FIG. 1

[0037] FIG. 4 is a block diagram illustrating a system that may be used to generate certified random numbers associated with quantum events using prepare-and-measure or the OOK method.

[0038] FIG. 5A is block diagram of an apparatus for generating certified quantum random numbers using the method described above with respect FIG. 4.

[0039] FIG. 5B is a flow diagram illustrating an example process that may be used by the apparatus shown in FIG. 5A, in normal mode operation, to generate certified random numbers.

[0040] FIG. 6 is a block diagram illustrating an example optoelectronic system for generating certified random numbers.

[0041] FIG. 7 is a flow diagram illustrating an example process that may be used by the apparatus shown in FIG. 5A, in a quick-off phase or quick-off mode, to generate a seed random number.

[0042] In the accompanying diagrams, an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent. When a number is non-underlined and accompanied by an associated arrow, the non-underlined number is used to identify a general item at which the arrow is pointing. DETAILED DESCRIPTION OF EMBODIMENTS

[0043] The present disclosure relates to methods and apparatus for generating data keys, more optionally for generating cryptographic keys, and yet more optionally for generating postquantum cryptographic keys. Moreover, the present disclosure relates to methods for (namely, methods of) using aforesaid apparatus to generate aforesaid keys. Furthermore, the present disclosure relates to software products, for example stored on a data carrier, wherein the software products are executable on computing hardware to implement aforesaid methods.

[0044] Pseudo-random number generation algorithms are executable on classical binary computing devices; such algorithms are capable of generating sequences of random numbers from a seed number, wherein the sequences of random numbers can be used to generate data keys. However, such algorithms are deterministic, such that the sequences of random numbers are potentially predictable to third parties given sufficiently powerful computing resources, wherein data keys generated from the sequences of random numbers are therefore also predictable. In order to address such a vulnerability, it has been proposed to use classical stochastic processes such as electronic noise, Zener diode noise and thermal noise as more entropic ways to generate more entropic sequences of random numbers, wherein more entropic data keys can be generated from the more entropic sequences of random numbers. But given that an adversary has sufficiently powerful computing resources, such classical stochastic processes cannot be used to generate unbreakable cryptographic keys being extracted from the more entropic sequences (e.g., using a Dodis extractor). In contrast, quantum phenomena may be leveraged to generate sequences of random numbers that are sufficiently highly entropic that data keys generated therefrom resist prediction even assuming an adversary with substantially unlimited computing resources; similar considerations pertain mutatis mutandis to keys for RSA encryption. A technical problem that is encountered is that users desire to have a data key generation apparatus, for a cryptographic key generation apparatus, that is spatially local thereto, for example located entirely locally within the users’ high security enclave or system.

[0045] Compact quantum random number generators are known. For example, in a scientific article “Compact quantum random number generator based on superluminescent lightemitting diodes”, Shihai Wei et al. Rev Sci Tnstrum 2017 Dec; 88(12): 123115 doi: 10.1063/1.5005506, there is described a method for implementing a compact quantum random number generator (QRNG); the QRNG is configured to function by measuring amplified spontaneous emission (ASE) noise of superluminescent light emitting diodes. In the QRNG, after detecting and amplifying the ASE noise, data acquisition and randomness extraction are both implemented in realtime, and final random bit sequences generated by the extraction are delivered to a host computer at a realtime generation rate of 1.2 Gbps; the data acquisition and randomness extraction are integrated in a field programmable gate array (FPGA). Moreover, to achieve compactness, all the components of the QRNG are integrated onto three independent printed circuit boards of compact design, and the QRNG is packed in a small enclosure sized 140 mm x 120 mm x 25 mm. The final random bit sequences are able to pass all the NISTSTS and DIEHARD tests.

[0046] According to a first aspect, there is provided an apparatus for generating data keys (for example cryptographic keys, postquantum cryptographic keys), wherein the apparatus is a self-contained hardware unit configured to operate at room temperature, wherein the apparatus includes a quantum random number generator including a quantum device to generate a quantum random bit stream, an extractor to generate a certified random number using the quantum random bit string received from quantum device, and a data control and processing unit that is configured to control and monitor operation of the apparatus.

[0047] Referring to FIG. 1, there is shown an embodiment of a data key generating apparatus; the apparatus is indicated generally by 10. Data keys generated by the apparatus 10 when in operation are optionally cryptographic keys, for example postquantum cryptographic keys. Moreover, the apparatus 10 includes an optical system (quantum device) 22 that provide random quantum events , and control system 60 that functions in use to perform a statistical test based on an entropy witness, e.g., an entropy witness associated to the generator 20, as an extractor 30, a pseudo random number generator 40, and a data processor and interface 50. In some cases, the control and processing system 60 can be a self-contained electronic system. Advantageously it will be difficult for a malicious third party to monitor signals within such electronic system and thereby eavesdrop on data flows and data processing operations occurring therein; thus, it is difficult for the malicious third party to capture any information that may reduce the security of the system or randomness of the certified random numbers generated by the system. Tn various implementations, the control and processing system 60 may comprise a field programmable gate array (FPGA), a development board (c.g., a board that includes a central processing unit (CPU) and/or FPGA), a microcontroller, a microprocessor, an application- specific integrated circuit (ASIC), or other systems. In some cases, the pseudo random number generator 40, and a data processor and interface 50. In some cases, the control and processing system 60 may include analog-to-digital or digital-to-analog converters.

[0048] Optionally, a part of the data interface and control unit 50 is implemented using a microprocessor and/or a microcontroller that is configured to execute one or more software products for performing functions of the apparatus 10 as described above.

[0049] In some cases, in the apparatus 10, at least a part of the quantum random number generator 20 is carefully shielded electromagnetically from electronic switching devices such as the control system to reduce any signaling occurring therebetween. Such screening is beneficially achieved using ferromagnetic conductive sheet, for example Mumetal sheet, although other conductive screening materials are alternatively used. In some cases, as illustrated in FIG. 3, at least a part of the quantum random number generator 20 can be mounted on an actuator arrangement 220 and is also provided with a solid-state vibration sensor 200, wherein a vibration signal from the vibration sensor 200 is provided via a negative feedback loop amplifier 210 to drive the actuator arrangement 220 to cancel vibration experienced at critical parts of the quantum random number generator 20; such an implementation enables the apparatus 10 to be mounted in high-vibration environments, for example equipment racks where cooling fans cause significant environmental vibration and acoustic noise. Optionally, the actuator arrangement 220 includes at least one of: a piezo-electric actuator 230A, an electromagnetic actuator 230B. Optionally, such active vibration damping is activated on demand when the apparatus 10 is required to deliver data keys, but otherwise deactivated to reduce power dissipation within the apparatus 10.

[0050] The quantum device of the generator 20 is configured to use quantum phenomena of at least quantum superposition to generate a data stream having a minimum level entropy; these highly entropic data streams are statistically processed within the control and processing system 60 and subjected to an entropy level test using an entropy witness ; for example, when the data streams pass an entropy witness test, they are thereby determined to have an entropy level larger than a minimum entropy associated with the corresponding entropy witness.

[0051] It will be appreciated that the apparatus 10 is intended to be physically compact, for example to be accommodated within a volume of less than 1000 cm ³ , more optionally less than 500 cm ³ , yet more optionally less than 300 cm ³ , and be capable of functioning at approximately (substantially) room temperature, namely in a room temperature range of approximately + 0 °C to + 40 °C, although the apparatus 10 is capable of being configured to function outside this range if required. By using photonics components, it is feasible to implement the quantum device so that it does not require cooling or refrigeration, thereby enabling a compact arrangement to be realized. The quantum device of the generator 20, when in use, detects a presence or absence of individual photons, either by temporal discrimination or spatial discrimination, or both. Beneficially, the quantum device is temperature stabilized, for example heated to function at a steady temperature of +45 °C when in operation.

[0052] FIG. 2A is a block diagram illustrating an example experimental arrangement that may be used to characterize an output optical beam (a photon stream) generated by the optical source 25 (e.g., a laser); optionally, the output optical beam is attenuated before being divided by a beam splitter 100. A given photon that passes through a splitter 100 can either follow a first optical path A 110A to be received at a first detector A 120A or a second optical path B 110B to be received at a second detector B 120B, but not both at a given instance of time. In some cases, e.g., when the light source 25 is a single photon source, if a signal is generated at both detectors 120A, 120B at a given instant of time when the given photon propagates, the corresponding signals SIG. A and SIG. B are likely outputting stochastic classical noise. In some cases, if a signal is generated at only one detectors 120A, 120B at a given instant of time, the corresponding signal SIG. A or SIG. B can be associated with a quantum event. The detectors 120A, 120B may have high sensitivity and low noise. In some cases, the detectors 120A, 120B may comprise single photon detectors.

[0053] In some embodiments, the optical source 25 comprises a solid state laser or an Erbium doped optical fiber laser. Optionally, the optical source 25 is operated as a pulsed optical source or comprises a pulsed laser. Optionally, the optical source 25 is operated as a self-pulsing laser. Tn some cases, such pulsed operation may reduce dissipated power, and cooling requirements for the optical source 25.

[0054] In some embodiments, the optical source 25 is temperature controlled when in operation; for example, the laser 25 beneficially has an associated in-built temperature sensor and an associated temperature feedback control loop to maintain dissipation within the laser 25 so that it operates at a substantially constant operating temperature. In some embodiments, the optical source 25 is electromagnetically screened against stray electrostatic or electromagnetic ambient radiation. In some case, an output optical beam generated by the optical source 25 is attenuated, as aforementioned, before being permitted to propagate to follow the first optical path A 110A to be received at a first detector A 120A or a second optical path B 110B to be received at a second detector B 120B; such attenuation is required to enable a relatively low photon flux and satisfy an energy-type constraint on the quantum state of the photons received by the first and the second photodetectors 120A, 120B.

[0055] FIG. 2B shows an example optical system 22 used in the apparatus 10. In some cases, temporal discrimination can be used to detect individual photons in an optical beam of photons propagating in operation from the laser 25 to the detector A 120A. Again, the detector 120A needs to be sensitive and low noise to be able to detect individual photons. By using temporal discrimination of individual photons potentially results in the apparatus 10 being simpler in design and more compact than when an arrangement of FIG. 2A is used.

[0056] In FIG. 2B, the laser 25 is optionally a solid state laser or an Erbium doped optical fiber laser, as aforementioned. Optionally, the laser 25 is a mode locked laser 25. Optionally, the laser 25 is operated as a pulsed laser. Optionally, the laser 25 is operated as a self pulsing laser. Optionally, the laser 25 is temperature controlled when in operation. Optionally, the laser 25 is electromagnetically screened against any stray electrostatic or electromagnetic ambient radiation; the laser 25 is thereby operated in an approximately nonsignalling manner, more optionally in a substantially non-signalling manner (i.e. completely shielded from any form of crosstalk from other components of the apparatus 10). An output beam from the laser 25 is attenuated before being permitted to propagate to the detector A 120A; such attenuation is required to provide a photon flux having a quantum state satisfying an energy-type constraint. [0057] Tn some embodiments, output parameter of the laser 25 in the optical system 22 may be monitored for changes over time that could affect performance of the apparatus 10. In an event that the changes are greater than a threshold amount, the apparatus 10 is configured to send a warning message to a user of the apparatus 10. Optionally, a feedback loop is included in the apparatus 10 to control the laser 25 such that a pulse power or a number of photons in an optical pulse remain substantially constant; In some cases, the changes may be monitored to determine ageing within the apparatus 10, for example by comparing against a mathematical model of the apparatus 10. In an event that the changes indicate that the apparatus 10 is potentially becoming unreliable, a warning is sent to a user of the apparatus 10 via a user interface. In some implementations, a spectral composition of the optical output, namely beam, from the laser 25 is monitored, e.g., using an optical Bragg grating with an associated array optical sensor, for identifying individual spectral components of the optical output.

[0058] On account of detecting individual photons being technically extremely challenging in view of small signals involved, outputs from the quantum device will include components of classical stochastic noise (for example, thermal noise in photon detectors and associated amplifiers) and also quantum noise. Testing for being a quantum phenomenon can be a verification that an output from the quantum device is representative of a quantum event and suitable for use in generating random numbers (e.g., data keys) in the apparatus 10, for example postquantum cryptographic keys.

[0059] In operation, the quantum random number generator 20 provides a string of 0’s and l’s as logic states, referred to as “QRNG”, to the extractor 30; in operation of the apparatus 10, the QRNG is statistically verified in by the statistical test 24 as having a sufficient level of entropy. In some cases, the statistical test 24 may comprise testing the QRNG using an entropy witness designed to determine whether an entropy level of the QRNG exceeds a threshold entropy level associated with the entropy witness. Conveniently, the extractor 30 is configured to function as a Dodis extractor, although other implementations of extractor are also feasible to use in the apparatus 10. The pseudo random number generator 40 generates a pseudo random number that is used to trigger the optical device 22 to generate quantum events usable for generating QRBSes that are provided to the extractor 30 to generate postquantum cryptographic keys for output from the apparatus 10. In some examples, the apparatus 10 may generate in excess of 50 million post-quantum cryptographic data keys per second. As is known from Claude Shannon’s theories, for optimal data security, cryptographic keys may be used only once (namely, a “nonce”), and should ideally have a bit length comparable to a length of data being encrypted. Thus, when the apparatus 10 is used in very highly secure cybersecurity systems required to provide a high data throughput, a large number of post-quantum cryptographic keys are used each second, for example many millions of such keys per second; the apparatus 10 when in operation is capable of delivering such a large volume of data keys.

[0060] The random number generators described herein (e.g., the apparatus 10) can be semi-device-independent (SDI) random number generators that generate certified random numbers at least partly based on quantum events. These random number generators may be designed to provide an optimal tradeoff between being susceptible to practical implementation in a self-contained compact hardware arrangement and providing extreme data security. Moreover, these random number generators are of an advantage in that they can be operated with modest energy consumption, namely in the order of a few Watts of power consumption when in operation, optionally less than 1 Watt power consumption. In some embodiments, these random number generators implement a QRNG protocol comprising the protocol described in the publications titled “ Semi-device-independent framework based on natural physical assumptions” by T. V. Himbeeck, E. Woodhead, N. J. Cerf, R. Garcfa-Patron, and S. Pironio, and “ Correlation and randomness generation based on energy constraints”, by T. V. Himbeeck, Quantum 1(2017), htt s://doi.org/10.22331/q-2017-l l-18-33, and S. Pironio, arXiv: 1905.09117 vl [quant-ph], herein referred to as “Himbeeck/Pironio”, the entire contents of which is incorporated by reference herein and made a part of this specification. In an embodiment, a quantum random number generator may utilize “On-Off-Keying (OOK) method as described in Himbeeck/Pironio.

[0061] Two objective problems are encountered when seeking to build an apparatus that implements a semi-device-independent QRNG protocol such as described in Himbeeck/Pironio :

Problem 1: Himbeeck/Pironio does not teach how to build a quantum random number generator, but merely provides a theoretical basis and mathematical proofs. Thus, inventive effort is required to reduce theoretical considerations in Himbeeck/Pironio to practice. Embodiments of the present disclosure are distinguished from teachings in Himbeeck/Pironio in that Himbccck/Pironio docs not teach regarding designing suitable randomness certificates for use in the control and processing system 60 of the apparatus 10 to ensure that at least a minimum threshold of entropy in generated QRNG data is achieved; moreover, Himbeeck/Pironio does not teach how to build a practical low-power apparatus that can be used in challenging environments, for example where environmental temperature variation and mechanical vibration are likely to be encountered; and

Problem 2: Implementing the apparatus 10 and experimentally verifying assumptions used when designing the apparatus 10 to ensure that the data keys are adequately entropic; for example, experimental verification of the light generated by a light source of the optical system 22 satisfying an energytype assumption is included in the manufacturing of the apparatus 10 (e.g., an energy-type assumption described in Himbeeck/Pironio).

[0062] FIG. 4A is a block diagram illustrating a system 400 that may be used to generate certified random numbers associated with quantum events using prepare-and-measure or the OOK method. In some embodiments the system 400 may comprise a quantum device (e.g., a photonic quantum device) 402 that is in communication and is controlled by a classical computing device 404. The quantum device 402 generates quantum random bit strings (QRBSes) comprising quantum random bits associated with quantum events (e.g., detection of photons). The quantum device 402 may generate a quantum random bit using a two-step process comprising preparation of a quantum state using a preparation process 406 triggered by the classical computing device 404, and a measurement process 408 comprising measuring the quantum state. The classical computing system may trigger the preparation process 406 by generating trigger signal and transmitting a first portion of the trigger signal 411a to the quantum device 402. In some cases, the trigger signal may comprise a pseudo random number (PRN) generated by a seeded pseudorandom number generator (PRNG) 410. In some cases, the preparation process 406 may be bound by an energy-type constraint resulting in a constrained quantum state 407. In some cases, such constrained quantum state 407 can generate a quantum random event when measured. A plurality of measured random quantum events may be transmitted to the classical computing device 404 as a quantum random bit string (QRBS) 409. Subsequently, the classical computing device 404 may use a witness verification process 412 to verify that an entropy level of the QRBS 409 is greater than a minimum entropy associated with an entropy witness. In some examples, the verification process 412 may include evaluating the QRBS 409 using a second portion of the triggered signal 411b received from the seeded PRNG 410 and at least an entropy witness. In some cases, the verification process 412 may evaluate the QRBS 409 using the second portion of the triggered signal 411b and a sorted group of entropy witnesses sorted based on the corresponding entropy levels. In some such examples, the verification process 412 includes sequentially evaluating the (QRBS) 409 using individual entropy witnesses of the sorted group, starting with entropy witness having the highest entropy level, until the (QRBS) 409 satisfies the entropy condition associated with an entropy witness. In some cases, the different entropy witnesses of the sorted group may be associated with different physical conditions of the quantum device 402. For example, different entropy witnesses of the sorted group may be associated with different temperatures of the quantum device 402 where, the first witness function, having the highest entropy level, is associated with the lowest temperature. Such witness verification process may result in lower rate of QRBS rejection since QRBSes that have lower level of entropy due to a physical condition of the quantum device 402, can be still verified by entropy witnesses having lower entropy levels (down in the sorted group).

[0063] Once one or more QRBSes are verified using the witness verification process 412, the verified QRBSes 413 may be transmitted to a seeded randomness extractor 416. The seeded random extractor uses a seed random number (e.g., a cryptographic seed) 414 and the verified QRBSes 413 to generate one or more certified random numbers 413. In some cases, the cryptographic seed 414, can be hard coded in the classical computing device 404.

[0064] In an embodiment, the quantum device 402 may comprise a light source that prepares photons having the constrained quantum state and a photodetector that detects the photons to generate a detection signal. In these cases, the constrained quantum state may have a constrained photon number or a constrained overlap with a vacuum state. For example, an overlap between the constrained quantum state of the photons and the vacuum state can be greater than a threshold value. A plurality of detection signals may be transmitted to the classical computing device 404 as the QRBS 409. [0065] Advantageously the measurement process 408 may not be constrained by specific physical constraints for generating a QRBS having an entropy larger than a minimum entropy and associated with a quantum event.

[0066] FIG. 5A is a block diagram of an apparatus 500 for generating certified quantum random numbers using the method described above with respect to the system 400. In some cases, the apparatus 502 may comprise a photonic quantum device 502 serving as the quantum device 402. The photonic quantum device 502 includes a photonic system comprising an optical source 506 configured to generate light (photons) and a photodetector 508 configured to detect photons received from the light source 506 and generate a detection signal indicative of a one or more photons received and detected.

[0067] A wavelength (e.g., a center wavelength) of light generated by the optical source 506 can be from 400 - 700 nm, from 700 - 1700 nm, from 1700 - 2500 nm, or any value within a range formed by any of these values, or smaller or larger values.

[0068] The light source 506 may comprise photon source (507a) such as a laser, e.g., a solid-state laser, a fiber laser, a semiconductor laser, or other light sources (e.g., a light emitting diode). In some cases, the laser can be a pulsed laser configured to generate pulses of light having a pulse width (tp). In some cases tp can be from 1 ns to 10 ns, from 10 ns to 20 ns, from 20 ns to 30 ns, from 30 ns to 50 ns, or any ranges formed with these values, or larger or smaller. In some cases, the photodetector 508 is a single photon detector (e.g., a single-photon avalanche diode or SPAD). In some implementations, the photonic system may include an optical link 507b configured to receive light form the photon source 507a, attenuate the received light, and transmit the attenuated light to the photodetector 508. In some cases, attenuated light may satisfy an energy-type constraint. In some examples, the light generated by the photon source 507a may not satisfy an energy -type constrained while the attenuated light satisfies an energy-type constraint. An energy-type constraint may comprise a bounded expected value for an observable (or measurable) physical parameter of light (a photon stream) such as energy, photon number, or overlap of a quantum state with vacuum state. For example, an overlap between the quantum state of the attenuated light, transmitted from the optical link 507b to the photodetector 508, and the vacuum state can be greater than a threshold value. In some cases, the energy-type constrain may comprise a max-peak assumption that imposes an upper bound on the mean energies observable by a user of apparatus 500 and an adversary that has access to the classical information associated with the photonic quantum device 502. Tn some examples, the characterization process may comprise measuring a property of the resulting light or attenuated light (e.g., a photon statistics) using a “trusted detector”. The trusted detector can be a photodetector that is thoroughly characterized and placed in a protected environment. Further details about max-peak assumption are described below.

[0069] The detection signals generated by the photodetector 508 may be transmitted to a measurement circuit 519 that is configured to process and store the detection signals to generate a quantum random bit string (QRBS).

[0070] In some implementations, the photonic quantum device 502 may generate a plurality of detection signals using a plurality of prepare-and-measure cycles (operate according to an OOK process). An individual prepare-and-measure cycle may comprise triggering the light source 506 to generate light (e.g., an optical pulse), e.g., using a trigger signal, measuring (detecting) the resulting light, and storing the resulting detection signal. A trigger signal may cause the light source 506 to send an optical pulse to the photodetector 508.

[0071] The trigger signal may be generated by a preparation circuit 518 that receives a pseudorandom number (PRN) generated by a pseudorandom number generator 510. Accordingly the trigger signal may comprise a random series of ON/OFF signals (corresponding to logic 1 and 0) configured to cause the photon source 506 to generate a series of pulses randomly distributed in time domain. The photon source 507a may be configured to generate an optical pulse upon receiving an ON signal and do not generate light upon receiving an OFF signal. A prepare-and-measure cycle may comprise receiving, by the light source 506, a signal that may randomly be an ON or an OFF signal, and measuring a corresponding detection signal that can be indicative of detection of one or more photons or no photons.

[0072] The apparatus 500 may use a witness variation circuit or process 512 to determine and validate an entropy level of the QRBS generated by the measurement circuit 519 using a signal generated by the preparation circuit 518 (e.g., a portion of the trigger signal) and at least one entropy witness associated with a specific level of entropy. In some cases, the witness verification process 512 may comprise a comparison between the QRBS and the entropy witness to determine whether an entropy level of the QRBS is equal or greater than the specific level of entropy. If the entropy level of the QRBS is determined to be equal or greater than the specific level of entropy (associated with the entropy witness), the QRBS is verified and the witness verification process 512 provides the verified QRBS (V-QRBS) to an extractor circuit or randomness extraction process 516. In some cases, the extractor 516 may comprise a seeded extractor that generates a certified random number 530 using the seed random number 514 and the V-QRBS. The seed random number 514 may be a cryptographic random number hard coded in the apparatus 500, e.g., as part of the extractor circuit or extraction process 516.

[0073] The apparatus 504 may comprise and electronic device 504 in communication with the photonic system of the photonic quantum device 502. In some implementations, the circuits or processes described above with respect to the apparatus 500 may be implemented on the electronic device 504 as processes performed by one or more electronic processors of the electronic device 504 using machine readable instructions stored in a memory of the electronic device 514. In some cases, one or more circuits or processes described above with respect to the apparatus 500 may comprise individual circuits in the electronic device 504. The electronic device 504 may include a control and processing system 520 that controls the operation of circuits and execution of processes within the electronic device 504, and the operation of the optical system of the photonic quantum device 502. The photonic quantum device 502 may comprise the photonic system (e.g., the light source 506, and the photodetector 508) and the preparation 518 and measurement 519, circuits/processes implemented on the electronic device 504. In various implementations, the electronic device 504 may comprise a field programmable gate array (FPGA), a development board (e.g., a board that includes a central processing unit (CPU) and/or FPGA), a microcontroller, a microprocessor, an application- specific integrated circuit (ASIC), or other types of electronic devices. In some cases, the electronic device 504 can be connected to an external computing system (e.g., a classical computing system) and use a processor of the external computing system at least for a portion of the processing tasks performed for generating the certified quantum random numbers 530.

[0074] In some embodiments, the apparatus 500 may be used in two or more modes where an individual mode corresponds to a configuration of the apparatus 500 for performing a computational task. For example, in a normal mode (also referred to as operational mode), the apparatus 500 may configured to generate certified random numbers 530, and in a kick-off mode the apparatus 500 may configured to generate a seed random number. In some cases, the apparatus 500 may be operated in the kick-off mode during a manufacturing process to generate a seed random number for usage during an operation mode. In some cases, the apparatus 500 may be operated in the kick-off mode after a period of operation in the normal mode.

[0075] FIG. 5B is a flow diagram illustrating an example process 500 that may be used by a control and processing system 520 (also referred to as controlled system 520) of the apparatus 500 during an normal mode (operational mode) to generate one or more certified random numbers. The control system 520 uses various circuits, processors, non-transitory memory elements of the electronic device 504, and the information/instructions stored therein to perform the process 500.

[0076] At block 502, the control system 520 uses the pseudorandom number generator 510 preparation process (or circuit) 518 to trigger the light source 506 and generate a photon stream and provide the photon stream to the photodetector 508. In some cases, providing the photon stream may comprise reducing a number of photons in the photon stream (e.g., using the optical attenuator 507). In some cases, a quantum state of the photon stream delivered to the detector may satisfy a max-peak assumption (e.g., the quantum state may have a minimum overlap with the vacuum state).

[0077] At block 504, the control system 520 uses the photodetector 508 and the measurement process (or circuit) 519 to detect and measure the photon stream generated at block 502.

[0078] At block 506, the control system 520 stores a result of the measurement process at block 504 (e.g., a detection signal) in a non-transitory memory of the electronic device 504. A result of the measurement may comprise a random bit associated with an quantum event.

[0079] At decision block 508, the control system 520 determines a total number of measurement results (random bits) stored. If the total number of stored measurement results is equal or greater than a threshold value, the process proceeds to block 510. If the total number of stored measurement results is smaller than the threshold value, the process returns to block 502. In some cases, the threshold value is a predefined value stored in memory of the electronic device 504. [0080] At block 510, the control system 520 generate a QRBS using the stored random bits.

[0081] At decision block 512, the control system 520 determines an entropy of the QRBS using the one or more entropy witnesses. If the determined entropy of the QRBS is greater than an entropy level associated with an entropy witness, the process proceeds to block 514. If the determined entropy of the QRBS is smaller than entropy levels associated with one or more entropy witnesses, the process returns block 502.

[0082] FIG. 6 is block diagram illustrating an example optoelectronic system 600 for generating certified random numbers. The opto-electronic system 600 can be an implementation of the apparatus 500 shown in FIG .5A. The opto-electronic system 600 may include an electronic board 602 (e.g., serving as the electronic device 504), an optical system

603 (serving as the optical system of the photonic quantum device 502), and a power supply

604 configured to provide electric power to the electronic board 602 and the optical system 603.

[0083] The optical system may comprise a photon source 507a (e.g., a laser), an optical link 507b, and a photodetector 508. The electronic board 602 is connected to the laser 506 and the photodetector 508 via wired or wireless links, e.g., to send control signals and receive data signals. In some implementations, the photon source 507a is optically connected to the photodetector 508 via the optical link 507b comprising and optical connector assembly 608 and an optical fiber 610. The optical link 507b may serve as the optical attenuator 507 in apparatus 500. In some cases, the optical link 507b may comprise an absorptive optical attenuator. In some cases, the optical connector assembly 608 may include absorptive optical layer configured to attenuate light generated by the photon source 507a. In some cases, the total optical attenuation of light transmitted through the optical link 507b may be configured to reduce a power of light generated by the photon source 507b to satisfy an energy-type constraint.

[0084] In some cases, during a manufacturing or recalibration process the detector 508 may be replaced by a trusted photodetector to adjust the parameters of the photon source 507a and the total optical attenuation of the link 507b such that one or more properties of light detected by the trusted detector satisfies an energy-type constraint. In some case, satisfying and energy-type constraint may comprise a max-peak assumption. In some examples, the one or more properties of light may comprise a mean photon number or an overlap of the quantum state of light with vacuum state.

[0085] In some embodiments, the system 600 may comprise an environmental sensor 612 configured to measure an environmental parameter (e.g., a temperature). In these embodiments, a control system of the electronic board 602 may use a sensor signal received from the environmental sensor 612 to determine that an environmental condition during a quantum random number generation process has changes beyond a threshold level. In response to such determination, control system of the electronic board 602 may abort the quantum random number generation and/or witness verification process. Alternatively or in addition, in response to such determination, control system of the electronic board 602 may warn a user of the apparatus 600 about the likelihood that the apparatus 600 is malfunctioning and the certified quantum random numbers are not reliable.

[0086] In some embodiments, the control system of the electronic board 602 may adjust or select a value of a parameter of the electronic board 602, based at least in part on the sensor signal.

[0087] In some implementations, the output of the photon source 507a may comprise a sequence of periodically generated optical pulses having a pulse width between 1 ns and 100 ns, e.g., when triggered electronically. In some cases, a repetition rate of the optical pulses can be from 1 to 100 MHz. An optical link between the photon source 507a and the photodetector 508 may comprise one or more absorptive neutral density (ND) filters in combination with a purposely decoupled optical fiber to achieve the desired average photon number received by the photodetector 508 for a given optical output power generated by the light source 506. In some cases, the photodetector 508 may comprise a single-photon avalanche diode (SPAD). The SPAD may generate a single TTL pulse in the event of a photon (or multiple photons) triggering an avalanche within the SPAD. The detection efficiency of the SPAD can be from 60 to 90 % for a wavelength between 600 nm to 700 nm. A deadtime of the photodetector 508 can be from 20 ns to 60 ns. A dark count of e photodetector 506 can be less than 200 Cps, less than 300 Cps, or less than 600 CPs.

[0088] In some implementations, the extractor 30, or 516 can be beneficially implemented as a seeded Dodis extractor; optionally. A parameter of the extractor 30, or 516 may be adjusted by the control and processing system 60 or electronic device 502. In some implementations, the extractor 30, or 516 can be configured as a 2source extractor in a Markov model (c.g., when the device operates in a kick-off mode). In some cases the extract 30, or 516 may comprise a randomness extraction algorithm executed on a processor of the 60 or electronic device 502.

[0089] The apparatus 10, system 400 or apparatus 500 can include one or more than one of the following innovations:

Innovation 1: Using multiple randomness witnesses within the data key generating apparatus [0090] Ensuring that the apparatus 10, 500, or system 400 is reliable in operation and provides certified random numbers or verifiable data keys, for example postquantum cryptographic keys but not limited thereto, arc essential attributes that the apparatus 10, 500, or system 400 must provide for satisfying its practical end uses, for example in banking systems, in secure data communication systems, in safetycritical control systems for infrastructure, in secure data storage systems, and so forth. Such verified operation of the apparatus 10, 500, or system 400 can be provided by way of having an entropy witness hardcoded into the apparatus 10, 500, or system 400, for example into the control processing system 60, classical computing device 404, or the electronic device 504. Moreover, including such an entropy witness can be useful for ensuring performance as the apparatus 10, 500, or system 400 ages (e.g., as a corresponding the quantum device ages).

[0091] The quantum device (e.g., the optical system) of apparatus 10, 500, or system 400 can produce a string of output bits whose entropy can be rigorously lower- bounded based on the validity of quantum theory. In some implementations, this lower bound on the entropy is obtained by solving an optimization problem that takes as an input the estimated probability of an individual output (e.g., a detection signal) for a given the preparation choice. Due to the complexity of the optimization algorithm, it can be difficult to solve such optimization problem using the control processing system 60, classical computing device 404, or the electronic device 504. To address this limitation, in some implementations, during a manufacturing process of apparatus 10, 500, or system 400, an entropy witness may be used to determine whether a QRBS of n output bits comprise a certain minimum amount of entropy. Such entropy witness may be optimized for a measured behavior of the quantum device (e.g., the optical system) or a conditional probability Pt _yp ( .r) indicating a probability of obtaining a measurement a in response to a preparation x, for a working condition of the quantum device (c.g., a typical or expected behavior of the quantum device). Such conditional probability can be estimated by running the quantum device many times in expected environmental conditions. The resulting entropy witness can be hardcoded in the control processing system 60, classical computing device 404, or the electronic device 504 and be used to determine whether a QRBS of n output bits is greater than an minimum entropy set for proceeding to the extraction step.

[0092] The use of a single entropy witness is an effective replacement for on-board solving of the optimization assuming that the behavior of the quantum device (the optical system) does not significantly deviate from the “expected” condition for which the single entropy witness is prepared and optimized. In some cases, variation of an environmental condition, may result in a high probability of a QRBS to be rejected by the statistical test 24, or witness verification process 412, 512. In some cases, when an environmental condition of a quantum device differs from an environmental condition associated with an entropy witness, an entropy level of the QRBS generated by the quantum device, can be smaller than the entropy level associated with the entropy witness.

[0093] In a real-world implementation, the quantum device can operate in a range of different environmental conditions (for instance, in a range of temperatures between 10 and 40C) and during the expected lifetime of the device. The environmental condition, such as temperature, can have a strong influence on the behavior of the components (e.g., optical components) of the quantum device, that can result in dependence of the conditional probability Ptyp( x) on the environmental temperature. Similarly, the ageing of the optical components can influence the expected behavior of the quantum device. To account for the variability of the behavior of the quantum device (e.g., due to variable environmental conditions), an inventive aspect of the systems disclosed herein includes preparing or designing different entropy witnesses fit for the different environmental conditions that the quantum may be exposed and/or different behaviors of the quantum device that may be expected during a life time or operational period of the corresponding apparatus or system. As an example, when the quantum device of the apparatus 10, 500, or system 400, is expected to function over a range of temperatures between 10C and 40C, and three entropy witnesses may be designed for operation from 10C to 20C, form 20C to 30C, or from 30C to 40C. Depending to a level of sensitivity of the behavior of the quantum device to temperature more entropy witness may be designed to be used over smaller temperature intervals (c.g., every 5C instead of IOC).

[0094] Advantageously, using a plurality of entropy witnesses can reduce a probability of aborting a cycle, without adding assumptions to the random number generation protocol. In some embodiments, the individual entropy witnesses provide valid entropy bounds even in different environmental conditions, but the results might not be optimal. In some cases, different entropy witnesses of the plurality of witnesses may be associated with different entropy levels. An individual entropy witness may be used to determine that an entropy of a bit string (e.g., quantum bit strings) is larger than the entropy level associated with the individual witness function.

[0095] In some cases, the verification process 412 may evaluate the QRBS 409 using the second portion of the triggered signal 411b and a plurality of entropy witnesses. In some such examples, the verification process 412 includes evaluating the (QRBS) 409 using individual entropy witnesses, until the (QRBS) 409 satisfies the entropy condition associated with an entropy witness. In some examples, at least two entropy witnesses may be associated with a substantially equal entropy levels. In some such examples, the at least two entropy witnesses may be associated with different environmental conditions.

[0096] In some implementations, the plurality of the entropy witnesses may be sorted based on corresponding entropy levels to form a sorted set of group of entropy witnesses. Accordingly, in an operational mode of the apparatus 10, 500, or system 400, the statistical test 24, or witness verification process 412, 512 may evaluate a QRBS received from the quantum device using the first entropy witness in the sorted group, using the second entropy witness in the sorted group if the QRBS does not satisfy the entropy level of the first entropy witness, and continuing the evaluation process using the subsequent entropy witnesses the ordered group until the QRBS satisfies the entropy level of an entropy witness. In some examples, the entropy witness associated with a highest level of entropy may be placed first in the sorted group followed by the rest of the entropy witnesses in a descending order.

[0097] As such, the generation rate of the certified quantum random numbers may be determined by the first witness whose entropy level is satisfied by the QRBS, which means that an overall rate of certified random number generation may be improved. [0098] Tn some cases, aging of the quantum device of the apparatus 10, may be monitored by monitoring a validation rate of the QRNs received by the statistical test 24 for example, a validation rate may decline as a function of aggregate operating time of the apparatus 10. In some such cases, such decline may indicate that classical stochastic phenomena become more significant and dominant when the apparatus 10 is functioning, thereby potentially reducing a rate at which postquantum cryptographic keys can be generated from the apparatus 10. Other parameters can alternatively or additionally be used for monitoring the apparatus 10, for example:

(i) a laser output power used in the quantum device;

(ii) optical detector noise when no photons are being received (for example, when the laser 25 or photon source 507a is switched off) within the quantum device; and

(iii) changes in spectral distribution of noise arising in the quantum device, for example changes in a spectral distribution of noise in the laser output.

[0099] Thus, in an embodiment, in the apparatus 10 multiple parameters may be monitored each affecting a different aspect of the certified random number or data key generation by apparatus 10; for example, in some embodiments, some or all of the following parameters are monitored to verify correct operation of the apparatus 10:

(i) ageing of components used in the apparatus 10;

(ii) energy output of the laser 25 (or the photon source 507a) diminishing as a function of time;

(iii) detector dark counts increasing as a function of time, for example detected when the laser 25 (or the photon source 507a) is switched off.

[0100] Optionally, the data interface and control unit 50 maintains a record of measurements of at least (i) to (iii) as a function of time and performs a statistical analysis of trends or compares against acceptable threshold values when monitoring operation of the apparatus 10, and generating a warning signal from the apparatus 10 in an event that the apparatus 10 is potentially generating data keys of insufficient entropy.

[0101] In some embodiments, the control and processing system 60, or 520 may select an entropy witness or a sub-set of the entropy witnesses from a sorted group of entropy witnesses based at least in part on monitoring signal associated with one or more of the monitored parameters listed above. Tn some cases, the monitoring signal, may comprise a sensor signal generated by a sensor (c.g., an environmental sensor).

Innovation 2: Generation of seeds for random extraction

[0102] In some cases, a quantum random number generator may use a random “seed”, namely data corresponding to a small amount of initial near-perfect randomness, to generate a random number (RN) for random number extraction, for example as it occurs in the extractor 30 of the apparatus 10 (or the extractor 516 of the apparatus 500).

[0103] This seed is used by the extractor 30 (or the extractor 516) during a randomness extraction step to randomize the process by randomly picking a hash function that is applied to the output of the RNG. The hash function may be picked based on a value of the seed. While the seed can be generated using an external high quality RNG and then hard coded into the apparatus, in some applications, it is desirable to generate the seed internally within the apparatus and relax the need for external seed.

[0104] An inventive aspect discussed herein includes implementing a “quick-off mode” or “quick-off phase” during which the apparatus generates the seed. In some cases, the apparatus 10 or 500 may be operated in the quick-off mode during a manufacturing process to generate a seed random number that is hard coded in the apparatus 10 or 500. In some cases, the operation of the apparatus 10 or 500 may comprise a quick-off phase before a normal randomness generation phase during which the seeded random number generator uses a seed generated in the kick-off phase.

[0105] In some implementations, on the apparatus 10 or 500, a seed is generated using the quantum device (optical system) of the QRNG 20 or photonic quantum device 502, namely from a first couple of uses of the quantum device. For generating the seed, the quantum device is used multiple times initially, namely in the “quick off’ phase, namely in a latency period after the quantum device settles down to generate highly entropic quantum random data.

[0106] Between uses of the apparatus 10 (or 500), the apparatus is configured to perform a hard reset. After completing the “quick off’ phase, the apparatus 10 is able to generate data keys on demand from one or more users of the apparatus 10.

[0107] Optionally, the aforesaid “quick off’ phase is repeated to provide a new fresh seed for the extractor 30 (or extractor 516); such a manner of operation is in contradistinction to having to input a pseudo-random seed from an external source relative to the apparatus 10 (or 500), thereby rendering the apparatus 10 (or 500) more robust in its operation to third-party tampering. Optionally, the extractor 30 (or the extractor 516) is used to perform a seeded extractor function when generate aforesaid data keys, using the seed generated during the aforesaid “quick off’ phase. However, it will be appreciated that other types of extractors can be used in the apparatus 10 (or 500) instead, or in addition to, the Dodis extractor; for example, a Diffie-Hellman extractor protocol is optionally used in the extractor 30 (or 516) as an alternative to using a Dodis extractor protocol. In some cases, a same type of extractor protocol may be used both the generating the seed data during the “quick off’ phase, as is also used when generating certified random numbers but with different parameters. In some cases, the control and processing system of the apparatus may change a parameter of a extractor algorithm to change the extractor 516 (or extractor 30) from a seed extractor during a normal (operational) phase to a two-source extractor during a quick-off phase.

[0108] FIG. 7 is a flow diagram illustrating an example process 700 that may be used by a control system 520 of the random number generator apparatus 500 during a quick- off phase or quick-off mode to generate one or more seed random numbers, e.g., for usage during an operational phase of the apparatus 500 to generate certified random numbers 530. The control system 520 uses various circuits, processors, non-transitory memory elements, and the information/instructions stored therein to perform the process 700.

[0109] At block 702, the control system 520 uses the quantum device 502 to generate a first bit string. In some examples, the first bit string may comprise n bits output from the measurement device 519. The first bit string can have a minimum entropy of ki.

[0110] At block 704, the control system 520 resets the quantum device 502 to eliminate memory effects. In some cases, resetting the quantum device 502 device may comprise switching off the quantum device 502 for a wait period; for example a power supply of the quantum device 502 may be turned off and turned back on after the wait period. The wait period can be long enough to erase data from previous operational periods (e.g., data or information left from generating the first bit string at block 702), to avoid leakage of such data to subsequent operations.

[0111] At block 706, the control system uses the quantum device 502 (e.g., after being reset in some cases) to generate a second bit string. In some examples, the second bit string may comprise m bits output from the measurement device 519. The second bit string can have a minimum entropy of ki. Tn some examples, m can be equal to n. Tn some examples, n and m is a predetermined value stored in a memory of the electronic device 504.

[0112] In some embodiments, the control system 520 may skip block 704 and generate the second bit string after generating the first bit string without resting the quantum device 502.

[0113] At decision block 708, the control system 520 uses a witness verification process 512 (e.g., a witness verification algorithm implemented on the electronic device 504) to determine whether a total minimum entropy (ki+fo) of the first and the second bit strings is greater than a threshold value (kth). If ki+ki is greater than kth, the control system transmits the first and the second bit strings to the extractor 516 and the process 700 proceeds to block 710. In some cases, fch is substantially equal to n + k where k > 0. If ki+fo is smaller than kth, the process 700 returns to block 702.

[0114] In some embodiments, witness verification process 512 uses one or more entropy witnesses hardcoded in the electronic device 504. Similar to the operational phase, the entropy witness used during quick-off phase (or quick-off mode) may be selected from a plurality of entropy witnesses hardcoded in the electronic device 504 based a set of operational and/or environmental condition of the quantum device 502. In some cases, at least a portion of the entropy witnesses used during the quick-off phase (or quick off mode) can be the same entropy witnesses used during an operational phase. In some cases, one or more entropy witnesses may be dedicated to quick-off phase operation. For example, the entropy witness hardcoded in the apparatus may include an entropy witness exclusively used during a quick- off phase and an entropy witnesses exclusively used during a normal phase. Advantageously using dedicated entropy witnesses during quick-off phase may improve the efficiency and/or reliability of the resulting random seed numbers.

[0115] At block 710, the control system 520 configures the extractor 516 as a two- source extractor. For example, the control system 520 may change one or more parameters in an extractor algorithm or execute a dedicated two-source extractor algorithm using the computational resources of the electronic device 504. A two- source extractor is configured to generate (extract) a random number using two input random numbers. Subsequently the two- source extractor 516 uses the first and the second bit strings received from the witness verification 512 to generate a third bit string. In some examples, the third bit string can be a near-perfect random bit string having a minimum entropy of exceeding those of the first and the second strings. The control system 520 stores the third bit string to a non-transitory memory (e.g., a memory associated with the witness verification), and process moves to the block 710.

[0116] At the decision block 712 the control system determines if a number of nearperfect random bit strings generated by quantum device 502 and stored in the electronic device 504 is equal or greater than a threshold number (Nth). If the number of near-perfect random bit strings is equal or greater than a threshold number (Nth), the process 700 proceeds to block 714. If the number of near-perfect random bit strings is smaller than Nth, the process returns to block 702. In some examples, Nth can be determined based on a chosen security parameter of the near-perfect output bits. In some examples, Nth can be limited by computational power of the electronic device 504. In some cases, Nth can be determined based on a time interval during which the random seed number generated by the process 700 may be used in the apparatus 500. For example, a seed of size 4096 may be reliable for 50 days of operation, while if the apparatus has to operate for 10 years without receiving a new seed number, 73 seed random numbers of the 4096 may be needed. In various implementations, Nth can be from 1000 to 5000, from 5000 to 10 ³ , from 10 ³ to 5x10 ³ , from 5x10 ³ to 10 ⁴ , from 10 ⁴ to 10 ⁵ , from 10 ⁵ to 10 ⁶ , or larger values.

[0117] In some implementations, the steps described above with respect to blocks 702 to 712 may be repeated M times before the process proceeds to block 714. In some examples M can be greater than Nth /k.

[0118] At block 714 [6] the control system the control system 520 uses at least a portion of the near-perfect random bit strings to generate a seed random number 514 and stores it in a non-transitory memory of the electronic device 504 for usage during an operational phase or mode.

[0119] Advantageously, resetting the system at block 504 may enable the usage of the extractor 30 in the Markov model. In some examples, the extractor 516 (e.g., when configured as a two-source extractor) can be a “Dodis extractor”. Examples of such extractor are discussed in “Practical randomness amplification and privatization with implementations on quantum computers”, 2009, arXiv:2009.06551v2. [0120] Tn some cases, when the third string is a near-perfect random bit string, n can be larger than 10 ⁴ , larger than 10 ⁵ , or larger than 10 ⁶ . In some cases, n can be limited by the extractor 516. In some such cases, the extractor 516 may be executed by a processor of a computing system separate from the electronic device 504 of the apparatus 500, e.g., to enable extracting the third random bit string from large first and second bit strings. Such computing system may have more computational power compared to electronic device 504 (e.g., an FPGA) of the apparatus 500. In some cases, the computing system may comprise a notebook, a personal computer, a notepad, or other computational systems. In some cases, the computing system may be connected to the apparatus 500 via a wired or wireless data link.

[0121] In some implementations, in order to generate a large seed random number, e.g., a seed number large enough to enable using the Dodis extractor during an operational phase, the quick-off phase described above may be used during the manufacturing stage (or recalibration stage) of the apparatus 500 to generate such large seed random numbers that are then hardcoded to the electronic device 504 of the apparatus 500 for usage during its lifetime.

[0122] In some implementations, the apparatus 500 may be configured in the quick-off mode to generate one or more seed random numbers. In some such implementations, the apparatus 500 can be connected to a computing system to generate a seed random number larger than 10 ⁴ , larger than 10 ⁵ , or larger than 10 ⁶ bits. These seed random numbers may be stored or hard coded in the one or more random generators similar to the apparatus 500, such that they can be used to generate certified random numbers 530 in a normal mode without the need for any quick-off phase. The operation of such apparatus may be referred to as randomness amplification or multi-source extraction. As such random numbers that are generated using the apparatus 500 in a quick-off mode may replace the crypto seed 414 in the system 400 or the apparatus 500 to eliminate the need for a crypto seed generated by a classical computing system, or interrupting the operation of the apparatus to switch to a quick-off phase.

Innovation 3: Light source fabrication, calibration and certification

[0123] During manufacture of the apparatus 10, 500, or the optoelectronic system 600 the laser 25 (or photon source 507a) may characterized using a plurality of methods to ensure that it is functioning in a manner that allows the QRNG 20 or the photonic quantum device 502 to produce quantum random bit strings, whose randomness is associated with quantum events, using the prepare-and-measure method described above. [0124] Tn some implementations, during a manufacturing process and/or rccalibration of the apparatus 10, 500, or the optoelectronic system 600, a light source may be calibrated and certified at a factory for usage in a quantum device used for generating quantum random bit strings (e.g., to be used as the light source 506 in the photonic quantum device 502 or a light source in optical system 22 of QRNG 20). As described above, the light source can include a photon source and an optical link, where the optical link transmits at least a portion of light generated by the photon source to a photodetector of the quantum device. For calibration and certification, the light source may be optically connected to a trusted photodetector. In some cases, the trusted photodetector (also referred to as a trusted detector) may be a detector dedicated to calibration and certification of the light sources for a quantum device used for generating quantum random bit strings. It will be appreciated that the trusted detector is meticulously calibrated. In some embodiments, the trusted photodetector can be mechanically, thermally, electromagnetically, electrically, or magnetically isolated from a surrounding environment. Alternatively or in addition the trusted photodetector may be protected from being tampered by an adversary. As such, a detection signal (e.g., a photocurrent) generated by the trusted photodetector may not be affected by any parameter other than the light received by the light source or, possibly, the changes or effect associated with the internal circuitry of the photodetector. In some cases, a trusted photodetector can be battery powered to electrically isolate the trusted photodetector. In some cases, usage of such trusted detector can be limited to the manufacturing process of the apparatus 10, 500, or the optoelectronic system 600, and the trusted photodetector may not form an integral part of the apparatus 10, 500, or the optoelectronic system 600.

[0125] In some embodiments, the trusted detector may be optically connected or coupled to the laser 25 (or the photon source 507a) of the optical system 22 of the QRNG 20, (or the photonic quantum device 502), without the use of any lenses disposed between the laser 25 (or the photon source 507a) and the trusted detector. In some cases, the trusted detector may be optically connected to the laser 25 (or the photon source 507a) of the optical system 22 of the QRNG 20, (or the photonic quantum device 502), via the optical path 110A (or optical link 507b) that are also used to optically connect the laser 25 (or the photon source 507a) to the detector 120A (or photodetector 508) after the c and certification process. In various implementations, an optical link (e.g., optical path 110A or optical link 507b) that is used to transmit light generated by a photon source (e.g., laser 25 or the photon source 507a) to the trusted detector may comprise, an optical connector (e.g., an optical fiber connector), an optical attenuator, and/or an optical fiber (e.g., a single mode fiber optic waveguide). Such optical link may be configured to attenuate the light (a light beam) generated by the photon source such that a power (optical power) of the light received by the trusted photodetector is less than the power of light generated by the photon source by 1 to 3 dB, 3 to 6 dB, 6 to 10 dB, 10 to 15 dB, 15 to 20 dB, 20 to 25 dB, 25 to 30 dB or any range formed by these values, or larger or smaller values. In various implementations, an optical link (e.g., optical path 110A or optical link 507b) that is used to transmit light generated by a photon source (e.g., laser 25 or the photon source 507a) to the trusted detector may comprise, an optical connector (e.g., an optical fiber connector), an optical attenuator (e.g., a tunable attenuator), and/or an optical fiber (e.g., a single mode fiber optic waveguide). The attenuation of the optical link may be tunable or adjustable by a user. In some examples, the optical attenuation via the optical link may be associated with a poor coupling of the laser 25 (or the photon source 507a) to an optical fiber used when calibrating the light source during manufacturing process, and also during operation of the apparatus 10, 500, or opto-electronic system 600. This type of optical attenuation may reduce a complexity of the light source, and its susceptibility to misalignment and environmental disturbances. In some cases, the optical link between the photon source and the trusted detector (and the photon source and the photodetector after calibration) may include an optical attenuator, and optically absorptive filter. In some such cases, the optical attenuation of the optical link may be adjusted by choosing different fixed attenuators or changing the attenuation of a tunable optical attenuator. After adjusting the attenuation of the optical link, the optical link may be carefully disconnected from the trusted photodetector and be connected to a photodetector of a quantum device while avoiding any change in the optical link that may cause a change in the attenuation of the optical link so that, for a give setting of the photon source, an optical power received by the detector in the quantum device is substantially equal to the optical power received by the trusted photodetector in the factory.

[0126] As described above a level of attenuation of light from the laser 25 (or the light source 506) to the trusted detector may be designed or adjusted such that a quantum state of the light received by the photodetector satisfies an energy-type constraint such as having a minimum overlap with the vacuum state. [0127] Tn some implementations, the light source calibration and certification process may comprise using the trusted photodetector to adjust the power of light output by the light source (optical power received by the trusted photodetector) such that light received by the trusted photodetector satisfies an energy-type constrain. In some cases, measuring the detection signals generated by the trusted detector during a measurement period may be used to evaluate a quantum state of the light received by the trusted photodetector to determine whether it satisfies the energy-type constraint. Advantageously, switching the trusted detector with a photodetector (e.g., the photodetector 508) used in the apparatus 10, 500, or the optoelectronic system 600, without changing the components between the photon source and the photodetector, can guarantee that light received by the photodetector satisfies the energytype constraint in a quantum device (e.g., the photonic quantum device 502, or QRNG 20).

[0128] Beneficially, in the apparatus 10, 500, or the optoelectronic system 600, the laser 25 (or photon source 507a) is temperature controlled by using a temperature sensing feedback loop, as aforementioned; for example, the laser 25 (or light source 506) is mounted on a Peltier thermoelectric element and is equipped with a temperature sensor coupled to a feedback loop that maintains the laser 25 (or light source 506) at a constant temperature when in operation; alternatively, the laser 25 (or photon source 507a) is operated at a constant temperature that is slightly higher than an ambient temperature of the apparatus 10, 500, or the optoelectronic system 600. Optionally, the laser 25 (or photon source 507a) is operated in the apparatus 10, 500, or the optoelectronic system 600 in a triggered pulse mode, and not in a continuous operating mode; such a manner of operation may enable generating QRBS based on a prepare-and-measure protocol and in the meantime reduce power dissipation within the apparatus 10, 500, or the optoelectronic system 600, for example in situations where the apparatus 10, 500, or the optoelectronic system 600 is powered from batteries (as in portable equipment).

[0129] In some case, a current provided to the photon source 507a (e.g., a laser) to generate light may be substantially equal to a critical current of the photon source 507a. In some cases, a current provided to the source 507a may be adjusted such that a characteristics of the light output by the photon source 507a satisfies a threshold condition. In some examples, the characteristic may include a noise level (e.g., relative intensity noise) or a coherence level, and the threshold condition may comprise a threshold noise level or threshold coherence level. [0130] Tn some implementations, the calibration and certification process may comprise measuring the portion of light received by the trusted photodetector while controlling the photon source with a trigger signal, using the photodetector. In some examples, the trigger signal may comprise a series (e.g., a random series) of on/off signals that cause the light source to generate a plurality of optical pulses during a measurement period. In some cases, the photon source can be pulsed optical source configured to generate an optical pulse upon receiving an on signal. In some cases, a trigger signal used during a measurement period can be a pseudorandom bit string and an individual optical pulse generated by the photon source may be triggered with a bit of the pseudo-random bit string. The trusted photodetector receives the plurality of optical pulses and generate a plurality of detection signals where an individual signal indicates detection of at least one photon. Using the trigger signal (indicative of expected temporal distribution of the optical pulses), and the plurality of detection signals (indicative of the photon detection events), a probability (e.g., an average probability) of generation of a photon detection event in the presence and absence of an optical pulse can be determined. For example, the pseudo-random bit string used for generating the optical pulses may be used to determine an average probability of photon detection for the resulting optical pulses.

[0131] Subsequently, this probability may be used to determine an overlap of the quantum state of optical pulses generated by the light source and the vacuum state (an example of testing an energy-type constraint). Advantageously, this approach does not require photon counting as the number of photons detected at each photon detection event is not needed for the probability calculation.

[0132] Other energy-type constraint on the light source can be also tested using a trusted detector receiving light from the photon source using via an optical link. For example, in some cases, the trusted detector may be used to measure a mean photon number for the plurality of optical pulses generated by the light source (triggered by the trigger signal) during a measurement period. In some cases, an upper bound on the measured mean photon number may be used to determine that a quantum state of the light received by the photodetector (output by the light source) satisfies an energy-type constraint (a phonon number in this case).

[0133] In some cases, in response to determining that the portion of light received by the trusted photodetector during a first measurement period does not satisfy a selected energy-type constraint, a user or an automated system may adjust the optical link to attenuate the portion of light received hy the trusted photodetector. Subsequently, during a second measurement period the measurement process described above (c.g., with respect to overlap with vacuum state), may be repeated to determine whether a quantum state of the portion of light received by the photodetector, after increasing the attenuation, satisfies the energy-type constraint. This process may be repeated until the light output by the light source satisfies the energy-type constraint, in response to which the light source can be certified for usage in a quantum device (assuming no change is made to the optical link during installation in eth quantum device).

[0134] As described above, adjusting the optical link may include adjusting a level of optical attenuation of a tunable optical attenuator included in the optical link or adjusting a level of optical attenuation or reducing optical coupling in an optical junction (e.g., a connection or coupling to an optical fiber waveguide). In some cases, the optical link of a certified optical source may attenuate the light generated by the photon source the photon source by 1 to 3 dB, 3 to 6 dB, 6 to 10 dB, 10 to 15 dB, 15 to 20 dB, 20 to 25 dB, 25 to 30 dB or any range formed by these values, or larger or smaller values.

[0135] In some cases, during manufacture of the apparatus 10, 500, or the optoelectronic system 600 various properties of light generated by the laser 25 (or photon source 507a) may be characterized. In some cases, the characterization may include measuring a photon statistics of light generated by these sources. In some cases, the characterization may include measuring a degree of coherence of the light generated by these sources. In some cases, the characterization may include measuring a degree of coherence of the light generated by these sources.

[0136] In some implementations, the calibration and certification process of the optical source comprises isolating the light source from any external perturbation (e.g., mechanical, electrical, magnetic, thermal, and electromagnetic) and characterizing the stability of the photo source (e.g., the laser) by measuring light detected by the trusted photodetector during a time interval. The stability of the photon source may comprise, e.g., the stability of the wavelength, power, coherence properties, or polarization of the light generated by the photon source.

[0137] For example, the statistics of the laser power fluctuation or photon statists may be measured during the course of a stability testing period where testing period can be, e.g., 1 to 5 seconds. The outcome of stability measurement are used to assess the validity of the max-peak assumption.

[0138] Following this, the light generated by the light source may be characterized to test the energy-type constraint (e.g., overlap of the quantum state of the light with vacuum state) over a range of environmental conditions (e.g. temperature) expected during the operation of the light source in a quantum device of random number generation apparatus. Subsequently, some of the worst case results (e.g., poor overlap with vacuum) may be used to design the random number generation protocol. For example, the entropy witness may be designed taking into account the worst case results to reduce a probability of rejecting a random quantum bit string at entropy verification step. Further, other aspects such as size of random quantum bit strings, or parameters of the seed extractor may be selected based on the worst case results obtained for the light source. As result, in addition to adjusting the output of the light source according to an energy-type constraint, the calibration and certification process of the light source allows for tailoring the random number generation protocol and the corresponding processes (e.g., randomness verification and extraction), according to the characteristics of a specific light source. This differs from existing QRNGs where a specific quantum state preparation is required by a random number generation protocol independent of the light source, which can potentially result in a low rate of quantum random number generation.

[0139] In some implementations, the photon statistic may be characterized using a method described in “Reconstruction of photon-number distribution using low-performance photon counters”, by G. Zambra and M. G-A Paris, published on 27 December 2006 in Physical Review A, Vol. 74, 063830, herein referred to as “Zambra”, the entire contents of which are incorporated by reference herein and made a part of this specification. In the Zambra method, when the laser beam is directed onto a photodetector, an output of the photodetector comprises a current pulse whose charge has a statistical distribution of actual photon numbers convolved with a Bernoulli distribution. In the Zambra method, an inversion of Bernoulli convolution may be performed by maximum likelihood methods assisted by measurements taken at different detector quantum efficiencies. The method can be used to show that detectors can discriminate between zero, one and more than one detected photons are generally enough to provide a reliable reconstruction of the photon number distribution for single peaked distributions. Tn addition, the Zambra method can identify that, for semiclassical states of light, even on/off detectors arc enough to provide a good reconstruction. Finally, the Zambra method is able to show that a reliable reconstruction of multipeaked distributions requires either higher quantum efficiency or higher resolution.

[0140] In embodiments of the present disclosure, there are beneficially used simple “click/noclick” detectors. Optionally, in the embodiments of the present disclosure, it is feasible to distinguish between 0 photon and >1 photon.

[0141] In some cases, in the apparatus 10, the laser 25 is implemented as a selfpulsing laser; by an such approach, the laser 25 is able to limit its own pulse power, thereby imparting the laser 25 with greater operating stability.

[0142] In various implementations described above, the photon source used in the optical (photonic system) of the apparatus, 10, 500, system 400, and the optoelectronic system 600 my comprise a incoherent light source or light source having an optical coherence lower than coherence of a laser beam. For example, the photon source 507a may comprise a light emitting diode (LED) or other source of light that generate photons dominantly via spontaneous emission.

Energy-like constraints on the light source

[0143] The device-independent (DI) protocols offers cryptographically secure protocols for quantum random number generation. These protocols may not require the characterization of a quantum device (e.g., a quantum device used for quantum random number generation) since beyond a minimal set of assumptions on the physical implementation (for instance, that the devices are shielded), the security and privacy of the resulting quantum random numbers may not be affected by parameters other than those associated an statistics of the output of the quantum device (e.g., photon statistics in a photon stream output by a quantum optical device). On the downside, device independence requires the use of entanglement based protocols, which are experimentally demanding and offer very low rates of certified entropy, if any.

[0144] The random number generating systems described above function based on a semi-device independent (SDI) approach to quantum random number generation, where by imposing well-chosen extra physical assumptions on the a device (e.g. a quantum device) of the system, most security benefits of a DT approach may be preserved without using quantum entanglement or certain other features that limit practical use of the corresponding protocol due to challenges associated with physical implementations of those features. An example SDI approach, which is used in the apparatus 10, 500, system 400, and the optoelectronic system 600, is the prepare-and-measure method where a quantum state is prepared and then measured to generate a quantum event or a random quantum bit. In the prepare-and-measure method, the preparation (e.g., preparation of a photon steam) includes a bounded energy-type of constraint (e.g. energy, photon number, overlap with the vacuum) on the quantum states prepared by a source (e.g., a laser) of the quantum device. As opposed to constraints considered in some other methods, for instance the assumption that the states belong to a Hilbert space of bounded dimension, the energy-type constraints can be monitored experimentally, allowing a high level of confidence on the validity of the assumptions. Advantageously, this approach leaves the measurement device (e.g., a photodetector), a component most prone to adversary attacks, uncharacterized.

[0145] In particular, the apparatus 10, 500, system 400, and the optoelectronic system 600, described above may implement an On-Off-Keying (OOK) protocol, which uses a quantum device composed of a light source (e.g., a laser) with two preparation modes (vacuum or coherent state) and a single photon detector (SPD) which either detects a photon or not. This constitutes one of the simplest quantum devices from which it is possible to certify randomness (e.g., quantum randomness) in a semi-device in- dependent approach. The choice of preparation is performed independently from the quantum device, using the output of a biased pseudo-random number generator (PRNG), making this a randomness expansion protocol.

[0146] In some implementations, a preparation device, ‘source’ (e.g., a light source), and a measurement device, ‘detector’ (e.g. a photodetector), are connected via a quantum channel (optical ink) but do not sharing any entanglement. The source and the detector are only allowed to communicate through the quantum channel. In some cases, the source takes an input A' E {0, 1], chosen independently from the source and the detector, and prepares a physical system in one of two possible quantum states p _x . These systems are sent to the detector, where a measurement M with two possible outcomes a E {-1, 1 } is performed. [0147] By choosing preparation x over many uses of the device the probability of obtaining outcome a, may be expressed as p(a\x). In a correlation space (equivalent to the probability space since a is binary), the expected (statistical) value of the outcome for each preparation x can have the form:

[0148] Equation 1 quantifies the bias of the outcomes towards one of the two outputs. In a fully device-independent scenario, where one does not make any assumptions on the internal functioning of the devices, any set of correlations E _x can be obtained with a deterministic strategy from the point of view of an adversary. This can readily be seen by the fact that if the source is able to send the preparation choice x to the detector, any E _x can be obtained by a deterministic response function, which would depend on classical randomness shared by the detector and the adversary. Although apparently random, the outputs from the detector would then be perfectly predictable by the adversary.

[0149] In order to find a separation between the set of allowed correlations E _x with deterministic strategies and the set of quantum strategies, the assumption that the source prepares states that have bounded expected value for a given observable O, can be added t. The observable O satisfies two conditions: i. O has a non-degenerate ground state, ii. O has a finite gap between the ground state and next eigenstate(s).

[0150] Without loss of generality, it can be assumed that the eigenvalue associated with ground-state has value 0 and the gap is 1. Examples of such an observable are the energy, photon number or the overlap with the vacuum, which can be experimentally controlled and characterized. In some cases, the observable O may be referred to as an energy observable. An appropriate bound on the expected value of O for the prepared states may prevent the source from sending the input choice x to the detector.

[0151] Income cases, a user of the quantum device can have access to mean energies:

[0152] An adversary with access to classical side information - represented by a random variable A distributed with (A) - may know the mean energies for every different value of A: THpA?)

[0153] comprises an upper bound on the mean energies observed by the user of device and can be expresses as:

< ⁵ $• 2^ > . v

[0154] A max-peak assumption further imposes an upperbounds on the mean energies observed by the adversary: - ₍₃₎

[0155] The max-average assumption represents a lighter physical assumption on the source: the user can check its validity by measuring the energy of the preparations x over a sufficiently large number of rounds, with a trusted detector. The max-peak assumption requires having precise knowledge of the internal functioning of the source to impose absolute limits on the energies of states prepared by the source. By characterization of the source using a trusted detector, it is possible test and verify the validity of the max-peak assumption for a given source (e.g., a light source such as a laser).

[0156] Advantageously, the max-peak assumption allows certification of randomness in cases where it is may not be possible to certify randomness under the maxaverage assumption. An example is the case for the On-Off-Keying (OOK) scheme used in the random number generating systems described above.

[0157] One of the challenges of an implementation of the OOK scheme can be guaranteeing that the max peak assumption holds. This condition may impose bounds on the mean energies w* of any state prepared by the light source, for given power input, photon source (laser) temperature, and other photo source parameters. This can require a full modelling of the light source, which may not be practical. In some implementations, with some assumptions on the behavior of the source, the max peak assumption verified, at least to some degrees, during characterization and certification described above, with respect to laser power and energy-type constraint. As described above, such characterization can be performed in the factory and in with controlled conditions using a high spec and extensively characterized trusted detector. Upon certification of the light source, quantum device, used in the certified random number generator (e.g., apparatus 500) is built with a different detector that can be untrusted. Example embodiments

[0158] Various additional example embodiments of the disclosure can be described by the following Examples:

Group 1

[0159] Example 1. An apparatus for generating a certified random number, wherein the apparatus is a self-contained hardware unit configured to operate at substantially room temperature, wherein the apparatus includes a quantum random number generator including a quantum device to generate a quantum random bit string, an extractor to generate the certified random number using the quantum random bit string, and a control and processing unit that is configured to control and monitor operation of the apparatus.

[0160] Example 2. The apparatus of Example 1, wherein the apparatus is configured to generate data keys including postquantum cryptographic keys.

[0161] Example 3. The apparatus of Example 1 or 2, wherein the quantum random number generator is implemented using a laser to generate photons, an optical arrangement that is configured to couple a portion of the photons from the laser to a detector arrangement, and a processing arrangement to process a signal from the detector arrangement, wherein the optical arrangement is configured with the detector arrangement to create conditions for single photon quantum events in a spatial or temporal regime, wherein the detector arrangement is configured to detect the events, and the processing arrangement is configured to apply a statistical test to verify a level of entropy of the detected events.

[0162] Example 4. The apparatus of Example 3, wherein the statistical test includes evaluating a level of entropy of events using an entropy witness hardcoded in the apparatus.

[0163] Example 5. The apparatus of Example 3 or 4, wherein the laser is implemented as a pulsed laser. [0164] Example 6. The apparatus of any one of Examples 1 to 5, wherein the extractor is implemented as a Dodis extractor.

[0165] Example 8. The apparatus of any one of the preceding Examples, wherein the apparatus is configured to switch from an operating phase when outputting data keys to a “quick off’ phase, wherein the quantum device is used to generate a seed for use in the seeded random number generator.

[0166] Example 9. The apparatus of any one of the preceding Examples, wherein data processing required for the apparatus to function when in use is implemented using at least one FPGA.

[0167] Example 10. The apparatus of any one of the preceding Examples, wherein the apparatus is implemented using hardware that can be contained within a volume of less than 1000 cm3.

[0168] Example 11. The apparatus of any one of the preceding Examples, wherein the apparatus is configured to dissipate less than 10 Watts when in operation.

[0169] Example 12. A method of using an apparatus to generate a certified random number, wherein the apparatus is a self-contained hardware unit configured to operate at room temperature, wherein the method includes:

[0170] (a) configuring the apparatus to include a quantum random number generator including a quantum device to generate a quantum random bit string;

[0171] (b) using an extractor to generate the certified random number using the quantum random bit string, and

[0172] (c) using a control and processing unit to control and monitor operation of the apparatus.

[0173] Example 13. The method of Example 12, including configuring the apparatus to generate the random numbers as postquantum cryptographic keys.

[0174] Example 14. The method of using the apparatus of Example 12 or 13, wherein the method includes:

[0175] Example 15. implementing the quantum random number generator using a laser to generate photons;

[0176] Example 16. using an optical arrangement to couple a portion of the photons from the laser (25) to a detector arrangement; [0177] Example 17. using a processing arrangement to process a signal from the detector arrangement, wherein the optical arrangement is configured with the detector arrangement to create conditions for single photon quantum events in a spatial or temporal regime;

[0178] Example 18. using the detector arrangement to detect the events, and using the events to generate a quantum random bit string, and

[0179] Example 19. using the processing arrangement to apply a statistical test to verify that the quantum random bit string satisfies a minimum entropy condition associated with an entropy witness stored in the processing arrangement.

[0180] Example 20. A machine-readable data storage medium comprising specific instructions that are executable on data processing hardware, wherein the instructions, when executed by the data processing hardware, implement the method of any one of Examples 13 to 15.

Group 2:

[0181] Example 1. An apparatus for generating a certified random number based at least in part on quantum events, the apparatus comprising: a quantum device configured to generate the quantum events; a classical computing device in communication with the quantum device, the classical computing device comprising a control and processing system, wherein the control and processing system comprises a memory configured to store specific computer-executable instructions and a hardware processor in communication with the memory and configured to execute the specific computer-executable instructions to at least: generate a quantum random bit string using the quantum device; determine an entropy level of the quantum random bit string using a plurality of entropy witnesses; and in response to determining that the entropy level of the quantum random bit string is greater than an entropy level associated with an entropy witness of the plurality of entropy witnesses, use the quantum random bit string to generate the certified random number. [0182] Example 2. The apparatus of Example 1 , wherein the control and processing system uses a pseudo-random number generator implemented on the classical computing device to trigger a series of preparation steps in the quantum device and to generate the quantum random bit string using a corresponding series of measurement steps.

[0183] Example 3. The apparatus of a Example 2, wherein the control and processing system determines the entropy level of the quantum random bit string based at least in part on a pseudo-random number generated by the a pseudo-random number generator.

[0184] Example 4. The apparatus of any one of Examples 1-3, wherein the plurality of entropy witnesses comprises a sorted set of entropy witnesses, sorted in descending entropy order with respect to corresponding entropy levels.

[0185] Example 5. The apparatus of Example 4, wherein the control and processing system determines the entropy level of the quantum random bit string by sequentially testing the quantum random bit string against the entropy witnesses of the sorted set starting with the first entropy witness associated with the highest entropy level in the sorted set.

[0186] Example 6. The apparatus of any one of Examples 1-5, wherein the plurality of entropy witnesses comprises at least two entropy witnesses, having substantially the same entropy level.

[0187] Example 7. The apparatus of any one of Examples 1-6, wherein the control and processing system tests the quantum random bit string against the plurality of entropy witnesses and determines that the entropy level of the quantum random bit string is greater than an entropy level associated with an entropy witnesses of the plurality of entropy witnesses.

[0188] Example 8. The apparatus of any one of Examples 1-7, wherein individual entropy witnesses of the plurality of entropy witnesses are associated with different conditions of the quantum apparatus.

[0189] Example 9. The apparatus of any one of Examples 1-8, wherein the quantum device comprises a photonic system comprising a light source configured to generate light and a photodetector configured to receive the light generated by the light source to generate the quantum events. [0190] Example 10. The apparatus of Example 9, wherein the light source comprises an optical link configured such that the light received by the photodetector satisfies an energy-type constraint.

[0191] Example 11. The apparatus of Example 10, wherein the light source is certified using a calibration and certification process comprising adjusting the optical link such that the light received by the photodetector satisfies an energy-type constraint.

[0192] Example 12. The apparatus of Example 11, wherein energy-type constraint comprises a lower bound on an overlap between a quantum state of the light generated by the light source and a vacuum state.

[0193] Example 13. The apparatus of any one of Examples 1-12, further comprising a sensor configured to generate a sensor signal indicative of condition of the quantum device, wherein the control and processing system generates the certified random number based at least in part on the sensor signal.

[0194] Example 14. The apparatus of Example 13, wherein in response to determining that a sensor signal indicates a deviation of the condition of the quantum device from a predefined condition by a threshold amount, the control and processing system rejects the quantum random bit string.

[0195] Example 15. The apparatus any one of Examples 13 or 14, wherein in response to determining that a sensor signal indicates a deviation of the condition of the quantum device from a predefined condition by a threshold amount, the control and processing system generates a warning message via user interface of the apparatus.

[0196] Example 16. The apparatus of any one of Examples 13-15, wherein the condition of the quantum device comprises an environmental condition of the quantum device.

[0197] Example 17. The apparatus of any one of Examples 13-16, wherein the condition of the quantum device comprises a temperature of the quantum device.

[0198] Example 18. The apparatus of Example any one of Examples 1-17, wherein the classical computing device comprises a single electronic board comprising at least a field programmable gate array. [0199] Example 19. The apparatus of any one of Examples 1 -17, wherein the control and processing system uses a random number extractor implemented on the classical computing device to extract the certified random number using the quantum random bit string.

[0200] Example 20. The apparatus of Example 19, wherein the random number extractor is a Dodis extractor.

[0201] Example 21. The apparatus of any one of Examples 19 or 20, wherein the random number extractor is a seeded extractor.

[0202] Example 22. The apparatus of Example 21, wherein a seed random number used by the random number extractor is a cryptographic random number hardcoded in the classical computing system.

[0203] Example 23. The apparatus of Example 19, wherein in a time period after generation of the certified random quantum number, the control and processing system operates the apparatus in a kick-off mode to generate a seed random number to be used by the random number extractor.

[0204] Example 24. The apparatus of Example 23, wherein in the kick-off mode the control and processing system generates two quantum random bit strings using the quantum device and operates the random number extractor as two- source random number extractor to generate the seed random number using the two quantum random bit strings.

[0205] Example 25. The apparatus of any one of Examples 1-24, wherein the apparatus is a self-contained hardware unit configured to operate at substantially room temperature.

[0206] Example 26. A method of generating a certified random number based at least in part on quantum events, the method comprising, by a hardware processor of a control and processing system: using a quantum device configured to generate a quantum random bit string; determining an entropy level of the random bit string using a plurality of entropy witnesses; and in response to determining that the entropy level of the quantum random bit string is greater than an entropy level associated with an entropy witness of the plurality of entropy witnesses, generating the certified random number using the quantum random bit string. [0207] Example 27. The method of Example 26, wherein determining the entropy level of the quantum random bit string comprises testing the quantum random bit string against the entropy witnesses of the plurality of entropy witnesses and determining the an entropy level of the quantum random bit string is greater than an entropy level associated with an entropy witnesses of the plurality of entropy witnesses.

[0208] Example 28. The method of any one of Examples 26 or 27, wherein the plurality of entropy witnesses comprises a sorted set of entropy witnesses, sorted in descending entropy order with respect to corresponding entropy levels.

[0209] Example 29. The method of Example 28, wherein determining the entropy level of the quantum random bit string comprises sequentially testing the quantum random bit string against the entropy witnesses of the sorted set starting with the first entropy witness associated with the highest entropy level in the sorted set.

[0210] Example 30. The apparatus of any one of Examples 26-29, wherein individual entropy witnesses of the plurality of entropy witnesses are associated with different conditions of the quantum apparatus.

[0211] Example 31. The apparatus of any one of Examples 26-29, wherein the quantum device comprises a photonic system comprising a light source configured to generate light and a photodetector configured to receive the light generated by the light source to generate the quantum events.

[0212] Example 32. The apparatus of Example 31, wherein the light source comprises an optical link configured such that the light received by the photodetector satisfies an energy-type constraint.

[0213] Example 33. The apparatus of Example 32, wherein the light source is certified using a calibration and certification process comprising adjusting the optical link such that the light received by the photodetector satisfies the energy-type constraint.

[0214] Example 34. The apparatus of any one of Examples 32 or 33, wherein energy-type constraint comprises a lower bound on an overlap between a quantum state of the light generated by the light source and a vacuum state.

[0215] Example 35. A method of calibrating and certifying a light source for usage in a quantum device for generating quantum random bit strings, the light source comprising a photon source and an optical link, wherein the optical link transmits at least a portion of light generated by the photon source to a photodetector, the method comprising: measuring the portion of light received by the photodetector while controlling the photon source with a first trigger signal using the photodetector, to determine a quantum state of the portion of light received by the photodetector with respect to an energy-type constraint; in response to determining that the portion of light received by the photodetector does not satisfy the energy-type constraint, adjusting the optical link to attenuate the portion of light received by the photodetector; measuring the attenuated portion of light received by the photodetector while controlling the photon source with a second trigger signal using the photodetector, to determine a quantum state of the attenuated portion of light receive by the photodetector with respect to the energy-type constraint; and in response to determining that the portion or the attenuated portion of received by the photodetector or satisfies the energy-type constraint, certifying the light source for usage in the quantum device.

[0216] Example 36. The method of Example 35, wherein the optical link comprises an optical attenuator and adjusting the optical link comprises adjusting a level of optical attenuation of the optical attenuator.

[0217] Example 37. The method of any one of Examples 34 or 35, wherein the optical link comprises an optical fiber waveguide and adjusting the optical link comprises adjusting a level of optical attenuation in an optical connection to the optical fiber waveguide.

[0218] Example 38. The method of any one of Examples 35-37, wherein the attenuated the attenuated portion of light received by the photodetector is attenuated by at least 10 dB with respect to the light generated by the light source.

[0219] Example 39. The method of any one of Examples 35-38, wherein the light generated by the photon source comprises at least one optical pulse.

[0220] Example 40. The method of any one of Examples 35-39, wherein measuring the portion of or the attenuated portion of light received by the photodetector, comprises determining an overlap between measured quantum state of the portion or attenuated portion of light and the vacuum state. [0221] Example 41 . The method of any one of Examples 35-40, wherein the portion or the attenuated portion of received by the photodetector or satisfies the energy-type constraint comprises determining that the determined overlap between measured quantum state of the portion or attenuated portion of light and the vacuum state is larger than a minimum overlap.

[0222] Example 42. The method of any one of Examples 35-41, wherein the portion of light or the attenuated portion of light received by the photodetector comprises a plurality of optical pulses.

[0223] Example 43. The method of Example 42, wherein the first and the second trigger signals comprise pseudo-random bit strings and an individual optical pulse is associated with a bit of the pseudo-random bit string.

[0224] Example 44. The method of Example 43, wherein measuring the portion or the attenuated portion of light received by the photodetector comprises determining an average probability of detecting photons based at least in part on the corresponding pseudorandom bit string.

[0225] Example 45. The method of of any one of Examples 35-44, wherein the photodetector is a trusted photodetector protected from being tampered by an adversary.

[0226] Example 46. The method of any one of Examples 35-46, further comprising disconnecting the optical source from the photodetector and connecting it to a photodetector of a quantum device of a quantum random bit generator (QRBG).

[0227] Example 47. The method of any one of Examples 35-46, wherein the photodetector is mechanically, thermally, or electromagnetically, electrically, magnetically isolated from a surrounding environment.

[0228] Example 48. An apparatus for generating a certified quantum random number in an operational mode and a seed random number in a kick-off mode, the apparatus comprising: a quantum device configured to generate the quantum events; a classical computing device in communication with the quantum device, the classical computing device comprising a control and processing system configured to: use the quantum device to generate a first and a second quantum random bit string; generate the seed random number using the first and the second quantum random bit strings; use the quantum device to generate a third quantum random bit string; and generate the certified random number using the third quantum random bit string and the seed random number.

[0229] Example 49. The apparatus of Example 48, wherein the control and processing system is further configured verify an entropy level of the first and the second bit strings based on an entropy witness before generating the seed random number.

[0230] Example 50. The apparatus of any one of Examples 48 or 49, wherein the control and processing system selects the entropy witness from a plurality of entropy witnesses.

[0231] Example 51. The apparatus of any one of Examples 48-50, wherein the control and processing system is further configured to reset the quantum device after generating of the first quantum random bit string and before generating the second random bit.

[0232] Example 52. The apparatus of any one of Examples 48-51, wherein the control and processing system configures a random number extractor implemented in the classical computing system as a two-source extractor and provide the first and the second quantum random bit strings to the two-source extractor to generate the seed random number.

[0233] Example 53. The apparatus of Example 52, wherein, after generating the seed random number, the control and processing system configures the random number extractor as a seeded extractor to generate the certified random number.

[0234] Example 54. The apparatus of any one of Examples 48-53, wherein quantum device comprises a light source configured to generate a photon stream and a photodetector configured to receive at least a portion of the photon stream via an optical link.

[0235] Example 55. The apparatus of Example 54, wherein the light source and the optical link are configured such that an expectation value of an energy observable with respect to a quantum state of the photon stream is bounded.

[0236] Example 56. The apparatus of Example 55, wherein the energy observable comprises energy, photon number, or an overlap with the vacuum state. [0237] Example 57. The apparatus of any one of Examples 54-56, wherein the light source and the optical link arc configured such that an overlap between a quantum state of the photon stream and a vacuum state is greater than a threshold value.

[0238] Example 58. An method of generating a certified quantum random number in an operational mode and a seed random number in a kick-off mode, the method comprising, by a control and processing system: generating a first and a second quantum random bit string using a quantum device; generating the seed random number using the first and the second quantum random bit strings; generating a third quantum random bit string using the quantum device; and generating the certified random number using the third quantum random bit string and the seed random number.

[0239] Example 59. The method of Example 58, further comprising verifying an entropy level of the first and the second bit strings based on an entropy witness before generating the seed random number.

[0240] Example 60. The method of Example 59, wherein verifying an entropy level of the first and the second bit strings further comprises selecting the entropy witness from a plurality of entropy witnesses.

[0241] Example 61. The method of any one of Examples 58-60, further comprising resetting the quantum device after generating of the first quantum random bit string and before generating the second random bit.

[0242] Example 62. The method of any one of Examples 58-61, wherein generating the seed random number comprises configuring a random number extractor as a two-source extractor and providing the first and the second quantum random bit strings to the two-source extractor to generate the seed random number.

[0243] Example 63. The method of Example 62, wherein generating the certified random number comprises configuring the random number extractor, after generating the seed random number, as a seeded extractor and generating the certified random number using the seeded extractor. [0244] Example 64. The method of any one of Examples 62 or 63, wherein the random number extractor comprises a Dodis extractor.

Terminology

[0245] Modifications to embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as “including”, “comprising”, “incorporating”, “consisting of’, “have”, “is” used to describe and claim the present disclosure are intended to be construed in a non-exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural; as an example, “at least one of’ indicates “one of’ in an example, and “a plurality of’ in another example; moreover, “two of’, and similarly “one or more” are to be construed in a likewise manner. Numerals included within parentheses in the accompanying claims are intended to assist understanding of the claims and should not be construed in any way to limit subject matter claimed by these claims.

[0246] The phrases “in an embodiment”, “according to an embodiment” and the like generally mean the particular feature, structure, or characteristic following the phrase is included in at least one embodiment of the present disclosure and may be included in more than one embodiment of the present disclosure. Importantly, such phrases do not necessarily refer to the same embodiment.

[0247] The term “computer” or “computing-based device” is used herein to refer to any device with processing capability such that it executes instructions. Those skilled in the art will realize that such processing capabilities are incorporated into many different devices and therefore the terms “computer” and “computing-based device” each include personal computers (PCs), servers, mobile telephones (including smart phones), tablet computers, set- top boxes, media players, games consoles, personal digital assistants, wearable computers, and many other devices.

[0248] The methods described herein are performed, in some examples, by software in machine readable form on a tangible, non-transitory storage medium, e.g., in the form of a computer program comprising computer program code adapted to perform the operations of one or more of the methods described herein when the program is run on a computer and where the computer program may be embodied on a non-transitory computer readable medium. The software is suitable for execution on a parallel processor or a serial processor such that the method operations may be carried out in any suitable order, or simultaneously.

[0249] This acknowledges that software is a valuable, separately tradable commodity. It is intended to encompass software, which runs on or controls “dumb” or standard hardware, to carry out the desired functions. It is also intended to encompass software which “describes” or defines the configuration of hardware, such as HDL (hardware description language) software, as is used for designing silicon chips, or for configuring universal programmable chips, to carry out desired functions.

[0250] Those skilled in the art will realize that storage devices utilized to store program instructions are optionally distributed across a network. For example, a remote computer is able to store an example of the process described as software. A local or terminal computer is able to access the remote computer and download a part or all of the software to run the program. Alternatively, the local computer may download pieces of the software as needed or execute some software instructions at the local terminal and some at the remote computer (or computer network). Those skilled in the art will also realize that by utilizing techniques known to those skilled in the art that all, or a portion of the software instructions may be carried out by a dedicated circuit, such as a digital signal processor (DSP), programmable logic array, or the like.

[0251] Any range or device value given herein may be extended or altered without losing the effect sought, as will be apparent to the skilled person.

[0252] Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

[0253] It will be understood that the benefits and advantages described above may relate to one embodiment or may relate to several embodiments. The embodiments are not limited to those that solve any or all of the stated problems or those that have any or all of the stated benefits and advantages. No single feature or group of features is necessary or indispensable to every embodiment.

[0254] Conditional language used herein, such as, among others, “can,” “could,” “might,” “may,” “e.g.,” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements, and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements, and/or steps are included or are to be performed in any particular embodiment. The terms “comprising,” “including,” “having,” and the like are synonymous and are used inclusively, in an open-ended fashion, and do not exclude additional elements, features, acts, operations, blocks, and so forth. Also, the term “or” is used in its inclusive sense (and not in its exclusive sense) so that when used, for example, to connect a list of elements, the term “or” means one, some, or all of the elements in the list. In addition, the articles “a,” “an,” and “the” as used in this application and the appended claims are to be construed to mean “one or more” or “at least one” unless specified otherwise.

[0255] As used herein, a phrase referring to “at least one of’ a list of items refers to any combination of those items, including single members. As an example, “at least one of: A, B, or C” is intended to cover: A; B; C; A and B; A and C; B and C; and A, B, and C. Conjunctive language such as the phrase “at least one of X, Y, and Z,” unless specifically stated otherwise, is otherwise understood with the context as used in general to convey that an item, term, etc. may be at least one of X, Y, or Z. Thus, such conjunctive language is not generally intended to imply that certain embodiments require at least one of X, at least one of Y, and at least one of Z to each be present.

[0256] The operations of the methods described herein may be carried out in any suitable order, or simultaneously where appropriate. Additionally, individual blocks may be deleted from, combined with other blocks, or rearranged in any of the methods without departing from the scope of the subject matter described herein. Aspects of any of the examples described above may be combined with aspects of any of the other examples described to form further examples without losing the effect sought. [0257] It will be understood that the above description is given by way of example only and that various modifications may be made by those skilled in the art. The above specification, examples, and data provide a complete description of the structure and use of exemplary embodiments. Although various embodiments have been described above with a certain degree of particularity, or with reference to one or more individual embodiments, those skilled in the art could make numerous alterations to the disclosed embodiments without departing from the scope of this specification.